How to create firewall rule for "non interface" network interface?


How to "right" add firewall rules to network interface that not "tagged" in interfaces?
Internet <--> eth1<--> WAN: pppoe (eth1) <--NAT--> LAN: bridge (eth0, wlan0)

In firewall I can add rules for WAN and LAN. But can't add rules for eth1. I can creatate "unmanaged" tag for eth1 and call it f.e. UPLINK, but pppoe over eth1 bacame to not working :frowning:

I can add "custom" iptables rules for eth1 (and now it working so) but! I think it is not "beutiful".

Please show us your custom iptables rules.

1 Like

Use the device option.

1 Like

thx :slight_smile: This option is not documented yet...

What isn't documented yet? Did you open the link?


Снимок экрана 2021-01-19 092801

The data protocol on eth1 is pppoe, not IP. The firewall is based on the iptables system in the kernel, so it requires IP based packets. It cannot understand pppoe.

The firewall needs to be attached to the IP side of the pppoe driver to inspect packets after they have been unwrapped of pppoe. The pppoe driver virtual interface is pppoe-wan or just wan.

In other words a firewall rule on wan will act on packets flowing to / from the modem since the pppoe driver does a 1:1 encapsulation operation on them.

Option device is useful for setting up a firewall and/or NAT on the end of a layer 3 (IP based) VPN tunnel. Otherwise you'd have to make a dummy network for the tunnel. The VPN client or server application takes care of creating the tunnel virtual interface (tun0 etc) and assigning it an IP address, so an entry in /etc/config/network is not necessary.

I know all that you say. BUT!
From provider side my eth1 receiving different packets like DHCP requests and other "corrupted" IP packets. Some times some one scanning my eth1 for opening ports. And I undastanding that I talking about eth1 - not about ppp0.

I want to make rules for DROPping IP packets to my eth1. But eth1 not WAN or LAN, so I need to specify "raw" device name.
By custom rule i made it by: iptables -A INPUT -i eth1 -j DROP.

And yes. I know about "chain policy" like default DROP rule. But now I can't set that rule - many other tests and conditions need to finish.

If you do not configure an IP interface on eth1, all IP packets are going to be silently ignored.

If you configure an IP interface on eth1, then you can add it to the firewall rules.

The link I provided you was pointing to the zones, where you can see the option:

Somehow you managed to miss that and scroll all the way down to the rules section.

1 Like